Page 1
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 1
CAP361:
SECURITY AND PRIVACY OF INFORMATION
Bhagat Avinash
Asst. Prof.
Domain:D3
School of Computing Applications
Lovely Professional University
Email:
[email protected]
[email protected] /08/23
Page 2
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 2
The name cryptography comes from the Greek words 'kryptos' which means hidden and 'graphia' which means writing.
Cryptography is the art of creating and using cryptosystems. Or simply put, it is the art of secret writing."
04/08/23
Page 3
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 3
Defination• The protection afforded to an automated
information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources.
(includes hardware, software, firmware, information /data, and telecomm.)
04/08/23
Page 4
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 4
Course Overview • Course Objectives:1.Understand the importance of security and
privacy of information2.Understand the importance of protecting the
privacy and confidentiality of Data.
Page 5
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 5
Course OverviewText Books: Network Security Essentials Application and
Standards by William Stallings, Pearson Education Publications, 4th Edition (2012)References: Network Security Essentials (Applications and
Standards) by william stallings,Pearson Education, 1st Edition
04/08/23
Page 6
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 6
Course Overview In this age of universal electronic connectivity,
of viruses and hackers, electronic fraud there is indeed no time at which security does not matter.
04/08/23 CAP361
Page 7
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 7
Course Overview Two trends have come together to make the course :1. The explosive growth in computer systems and
their interconnections via networks has increased the dependence of both organizations and individual on the information stored and communicated using there systems. This in turn has led to a heightened awareness of the need to protect data and resources from disclosure.
04/08/23 CAP361
Page 8
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 8
Course Overview 2. The disciplines of cryptography and network
security have matured, leading to the development of practical, readily available applications to enforce network security.
04/08/23 CAP361
Page 9
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 9
Career Overview • If you have a good cryptography knowledge
associated with Information security concepts and implementation, You will get a good job within one month. and it is sure. There are a lots of software companies in bangalore, looking for good crypto professional.
04/08/23 CAP361
Page 10
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 10
Career Overview • Cryptologists before the 80s were primarily
depicted as spy agents involved in deciphering and configuring coded messages to gain momentum against enemy activities. However, with the upsurge of information technology and the increasing dependence on electronic data processing, the range of activities a cryptologist is involved in has expanded.
04/08/23 CAP361
Page 11
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 11
Career Overview • The vast digital data that is stored and processed
in large computer bases and transmitted through complex communication networks is susceptible to unauthorized interception and interpretation and hence, needs to be protected through encrypted remote access or passwords.
04/08/23 CAP361
Page 12
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 12
Career Overview • Cryptologists are in demand in the military
forces, government agencies, technology companies, banking and financial organizations, law enforcement agencies, universities and research institutes.
04/08/23 CAP361
Page 13
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 13
Chapter 1
Network Security Essentials
Fourth Editionby William Stallings
04/08/23
Page 14
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 14
The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.
—The Art of War, Sun Tzu
04/08/23
Page 15
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 15
The combination of space, time, and strength that must be considered as the basic elements of this theory of defense makes this a fairly complicated matter. Consequently, it is not easy to find a fixed point of departure..
— On War, Carl Von Clausewitz
04/08/23
Page 16
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 16
Computer Security
NIST : National Institute of Standards and Technology.
ISOC : Internet society ITU-T : The international
telecommunication Union. ISO : International organization for
standardization.04/08/23
Page 17
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 17
Computer Security
The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes H/W , S/W, firmware, information / data, and telecommunications)
04/08/23
Page 18
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 18
CIA triod
04/08/23
Page 19
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 19
Computer Security
Integrity means guarding against improper information modification.
1. Data Integrity assures that information and programs are changed only in a specified and authorized manner.
2. System Integrity assures that a system performs its intended function in an unimpaired manner, free from deliberate unauthorized users04/08/23
Page 20
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 20
Computer Security
Confidentiality means protecting privacy.1. Data Confidentiality ensures that
private or confidential information is mot made available or disclosed to unauthorized individuals
2. Privacy assures that individual controls what related to them. By whom and to whom the information is to be disclosed.04/08/23
Page 21
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 21
Computer Security
Availability means ensuring timely and reliable access to and use of information. Assures that systems work promptly and service in not denied to authorized users
04/08/23
Page 22
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 22
Computer Security
Authenticity means the property of being genuine and being able to be verified and t rusted; confidence in validity of a
• transmission, • message • message originator
04/08/23
Page 23
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 23
Computer Security
Accountability means the security goal that generates the requirement for actions of an entity to be traced uniquely to that entity
04/08/23
Page 24
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 24
Levels of Impact
can define 3 levels of impact from a security breach•Low•Moderate•High
04/08/23
Page 25
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 25
Aspects of Security
3 aspects of information security: security attack security mechanism security service
04/08/23
Page 26
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 26
Aspects of SecuritySecurity attack: Any action that
compromises the security of information owned by an organization.
Security mechanism : A mechanism that is designed to detect, prevent or recover from a security attack.
Security Service is a service that enhances the security of the data processing systems and the information transfer of an organization.04/08/23
Page 27
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 27
Security Services Information security services are replicating the
types of functions normally associated with physical documents.
Most of the activities of mankind depends on use of documents.
Documents typically have signatures and dates; they may need to be protected from disclosure, tampering, they may be notorized, witnessed , may be recorded or licensed.
04/08/23
Page 28
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 28
Security Services Challenges to electronic documents 1. It is usually possible to discriminate between an
original paper document and a xerographic copy. However an electronic document is merely a sequence of bits and bytes.
2. An alternation to a paper document may leave some sort of physical evidence.
3. Any proof process associated with a physical document typically depends upon physical characteristics of the document.
04/08/23
Page 29
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 29
Security Services List of common Information Integrity functions:
04/08/23
Page 30
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 30
Security Service• enhance security of data processing systems and
information transfers of an organization• intended to counter security attacks• using one or more security mechanisms • often replicates functions normally associated with
physical documents• which, for example, have signatures, dates; need protection
from disclosure, tampering, or destruction; be notarized or witnessed; be recorded or licensed
04/08/23
Page 31
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 31
Security Services
X.800:“a service provided by a protocol layer of communicating open systems, which ensures adequate security of the systems or of data transfers”
RFC 2828:“a processing or communication service provided by a system to give a specific kind of protection to system resources”
04/08/23
Page 32
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 32
Security Services (X.800) Authentication – assurance that communicating entity is the
one claimed•have both peer-entity and data origin authentication
Access Control – prevention of the unauthorized use of a resource
Data Confidentiality –protection of data from unauthorized disclosure
Data Integrity – assurance that data received is as sent by an authorized entity
Non-Repudiation – protection against denial by one of the parties in a communication
Availability – resource accessible/usable04/08/23
Page 33
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 33
Security Mechanism feature designed to detect, prevent, or
recover from a security attack no single mechanism that will support all
services required however one particular element underlies
many of the security mechanisms in use:•cryptographic techniques
hence our focus on this topic
Page 34
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 34
Security Attacks Normal Flow Interruption Interception Modification Fabrication
04/08/23
Page 35
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 35
Security Attacks Normal Flow
04/08/23
SourceDestination
Page 36
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 36
Security Attacks Interruption : This is an attack on availability,
an asset of the system is destroyed or becomes unavailable.
04/08/23
Page 37
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 37
Security Attacks Interception: This is an attack on confidentiality
an unauthorized party gains access to an asset.
04/08/23
Page 38
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 38
Security Attacks Modification : This is an attack on integrity. An
unauthorized party not only gain access to but tampers with assests
04/08/23
Page 39
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 39
Security Attacks Fabrication : This is an attack on authenticity.
An unauthorized party inserts counterfeit objects into the system.
04/08/23
Page 40
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 40
Security AttacksClassification of Security Attacks: Passive are in the nature of eavesdropping on,
monitoring of, transmissions. Release of Message Traffic analysis
Active Masquerade Replay Modification of message contents Denial of service04/08/23
Page 41
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 41
Release of message contents
04/08/23
Page 42
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 42
Traffic analysis
04/08/23
Page 43
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 43
Security AttacksClassification of Security Attacks: Active attacks involve some modification of the
data stream or the creation of a false stream and can be subdivided into four categories Masquerade Replay Modification of message contents Denial of service
04/08/23
Page 44
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 44
Security Attacks Masquerade takes place when one entity
pretends to be a different entity.
04/08/23
Page 45
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 45
Masquerade
04/08/23
Page 46
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 46
Security Attacks Replay involves the passive capture of a data
unit and its subsequent retransmission to produce an unauthorized effect.
04/08/23
Page 47
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 47
Replay
04/08/23
Page 48
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 48
Security Attacks Modification of message simply means that
some portion of a legitimate message is altered, or that messages are delayed or recorded to produce and unauthorized effect.
04/08/23
Page 49
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 49
Modification of message
04/08/23
Page 50
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 50
Security Attacks Denial of service prevents or inhibits the
normal use or management of communication facilities.
04/08/23
Page 51
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 51
Denial of service
04/08/23
Page 52
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 52
Model for Network Security
Page 53
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 53
Model for Network Security
All the techniques for providing security have two basic components:
1. Security related transformation on the information to be sent.
2. Some secret information shared by the two principals.
Page 54
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 54
Model for Network Security
Four basic tasks in designing a particular security service:
1. design a suitable algorithm for the security transformation
2. generate the secret information (keys) used by the algorithm
3. develop methods to distribute and share the secret information
4. specify a protocol enabling the principals to use the transformation and secret information for a security service
Page 55
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 55
Model for Network Access Security
Page 56
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 56
Model for Network Access Security
using this model requires us to: 1. select appropriate gatekeeper functions to
identify users 2. implement security controls to ensure only
authorised users access designated information or resources
Page 57
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 57
Questions1. Define computer security ----2 marks2. What are three objectives of computer security?
Or what is CIA triad 2marks3. How are security services classified?4. Explain the model basic model for network
security.5. What are four basic tasks in designing a particular
security service.
Page 58
Cop
yri
gh
t© D
orl
ing
Kin
ders
ley In
dia
Pvt
Ltd
Introduction 58
Summarytopic roadmap and standards organizationssecurity concepts:• confidentiality, integrity, availability
X.800 security architecturesecurity attacks, services, mechanismsmodels for network (access) security